CCC.SecMgmt Test: finos-ccc-integration-secret-main

Test Parameters

ServiceType	secrets
ProviderServiceType	secretmanager.googleapis.com/Secret
CatalogTypes	CCC.SecMgmt
TagFilter	@Behavioural, @secrets, @Behavioural
UID	finos-ccc-integration-secret-main
ResourceName	finos-ccc-integration-secret-main
Config	{}
authorized-region	us-central1
catalog-versions	{ "CCC.Core": "v2025.10", "CCC.SecMgmt": "DEV" }
gcp-project-id	nodal-time-474015-p5
gcp-secret-id	finos-ccc-integration-secret-main
permitted-regions	[ "us-central1" ]
provider	gcp
region	us-central1
resource	finos-ccc-integration-secret-main
service	secrets
service-type	secrets
tags	@Behavioural @secrets
unauthorized-region	europe-west1

Summary

Generated: 2026-06-16 15:50:47

Total Run Time: 4s

Features: 2

Scenarios: 4 (✅ 3 | ❌ 1)

Steps: 26 (✅ 25 | ❌ 1 | ⏭️ 0 | ❓ 0)

Feature: CCC.SecMgmt.CN01.AR01 - Deny Outdated Secret Version After Rotation

Scenario: Current secret version is readable @CCC.SecMgmt @CCC.SecMgmt.CN01 @PerService @tlp-amber @tlp-red @Behavioural @secrets @SANITY @OPT_IN

Given a cloud api for "{config}" in "api"48µs

And I call "{api}" with "GetServiceAPI" using argument "secrets"149µs

And I refer to "{result}" as "svc"24µs

When I call "{svc}" with "RetrieveSecretVersion" using arguments "{uid}" and "latest"773ms

Then "{result}" is not an error38µs

And I refer to "{result}" as "currentSecret"66µs

And I attach "{currentSecret}" to the test output as "Current Secret Version"82µs

Then "{currentSecret.Denied}" is "false"34µs

📎 Attachments:

Current Secret Version

View JSON (89 bytes)

{"Plaintext":"ccc-integration-secret-v2","VersionID":"latest","Denied":false,"Reason":""}

Scenario: Stale secret version retrieve is denied @CCC.SecMgmt @CCC.SecMgmt.CN01 @PerService @tlp-amber @tlp-red @Behavioural @secrets @MAIN

Given a cloud api for "{config}" in "api"31µs

And I call "{api}" with "GetServiceAPI" using argument "secrets"64µs

And I refer to "{result}" as "svc"23µs

When I call "{svc}" with "RetrieveSecretVersion" using arguments "{uid}" and "{stale-version-id}"771ms

Then "{result}" is an error40µs

expected {result} to be an error, got *secrets.SecretValue

Feature: CCC.SecMgmt.CN02.AR01 - Deny Retrieve From Unauthorized Region

Scenario: Authorized region read succeeds @CCC.SecMgmt @CCC.SecMgmt.CN02 @PerService @tlp-amber @tlp-red @Behavioural @secrets @SANITY @OPT_IN

Given a cloud api for "{config}" in "api"30µs

And I call "{api}" with "GetServiceAPI" using argument "secrets"36µs

And I refer to "{result}" as "svc"21µs

When I call "{svc}" with "RetrieveSecretInRegion" using arguments "{uid}" and "{authorized-region}"744ms

Then "{result}" is not an error43µs

And I refer to "{result}" as "authorizedRead"21µs

And I attach "{authorizedRead}" to the test output as "Authorized Region Read"38µs

Then "{authorizedRead.Denied}" is "false"46µs

📎 Attachments:

Authorized Region Read

View JSON (58 bytes)

{"Plaintext":"","VersionID":"","Denied":false,"Reason":""}

Scenario: Unauthorized region read is denied @CCC.SecMgmt @CCC.SecMgmt.CN02 @PerService @tlp-amber @tlp-red @Behavioural @secrets @MAIN

Given a cloud api for "{config}" in "api"41µs

And I call "{api}" with "GetServiceAPI" using argument "secrets"42µs

And I refer to "{result}" as "svc"23µs

When I call "{svc}" with "RetrieveSecretInRegion" using arguments "{uid}" and "{unauthorized-region}"1s

Then "{result}" is an error26µs

🥒 CCC.SecMgmt Test: finos-ccc-integration-secret-main

Test Parameters

Summary